Jump To
- Install Steps
- Install Commands
- Post Install
- Enable your CKS Server
- Validate your CKS Server
- Additional CKS Servers
Install Steps
Install Docker
Download Install Script
Run Install Script
Start CKS Service
Install Commands
Install Docker
If completed during prerequisites, you can skip to "Download and Execute Setup Script"
#Install Docker
sudo curl -sSL https://get.docker.com/ | shDownload and Execute Setup Script
Shell Commands
mkdir /var/virtru
mkdir /var/virtru/scripts
cd /var/virtru/scripts
curl -s https://raw.githubusercontent.com/virtru/cks-setup-script/main/download.sh -o download.sh
bash ./download.sh
bash ./cks-setup-scripts/setup-cks-latest.shWarning: If SELinux is in use please reference this article.
Offline Install
To run the installer in offline mode first follow prerequisites listed here. Then execute:
setup-cks-latest.shRecommended
The installer will create all appropriate directories. The recommended install root directory is: /var/virtru/cks
CKS Domain Selection
During the install, enter the CKS URL of your choice. The installer creates a self-signed TLS certificate for transport security based on the domain given.
Support URL and Email
Enter your support email address, as well as the primary support domain for your organization. This will be logged by Virtru for use by our Technical Support team if error’s are generated.
Virtru Organization ID
Enter your Virtru Org ID provided by your Virtru representative. This will allow for JWT authentication to be set up with your new CKS server.
KAS Enablement
Important: You will be asked whether to enable KAS. Answer no as the default response.
Prompt:
Do you want to enable KAS [yes/no]?
Answer yes if you have been directed by your Virtru representative that this VPK deployment should include KAS support for Virtru Collaborate.
HMAC Authentication
You will be prompted to use HMAC auth:
Answer based on your deployment requirements:
- Answer
yesif HMAC authentication is required for CSE-to-VPK support. - Answer
noif the deployment only requires JWT authentication.
Self-Signed Certificate Creation
In the next section, the script will prompt for certificate request information. This information is needed to create the self-signed certificate that will be used by your CKS server as a placeholder. Once all inputs are put in place within the CKS setup wizard, we require replacing the self-signed certificate with a valid CA signed TLS certificate. This will be located in the /var/virtru/cks/ssl directory once the setup wizard completes in the following file format:
-> cks.example.crt (Public Certificate with Intermediate and Root Chain)
-> cks.example.key (Private Key)
Note:
To prevent decryption errors, the order of cert chain in the .crt file must be formatted correctly. The certificate for your CKS FQDN must come before the intermediate and/or root certificates within the .crt file.
CKS Re-Wrap Keys (RSA key pair)
Virtru Private Keystore for Virtru Solutions now supports both RSA and ECC keys.
- If you are a current Secure Share and/or Secure Reader customer, you may select either the RSA or ECC key type.
- If you are using any other Virtru application (Virtru Hosted Gateway, Gmail or Outlook plugins, etc.), please select RSA. RSA remains the default option and is required for full compatibility.
We’re actively working to expand ECC support across all Virtru applications and will provide updates as they become available
RSA is the default option. To select it, type RSA or press Enter. The installer will then generate your RSA key pair and display the key information. Review the fields carefully to ensure accuracy.
Post Install
Once completed, the setup script will have created the following:
- The Environment Variables for the Virtru Private Keystore and its companion containers
- tokens.json file that defines the HMAC token used to authenticate between Virtru and your CKS service. It is also automatically loaded into the environment variables in env/cks.env
- run.sh file to run the deployment.
- RSA Key Pair
- in the cks/keys directory, verify that rsa001.pem and rsa001.pub have 644 permissions applied
chmod 644 rsa001.pem
chmod 644 rsa001.pub- Replace self-signed certificate with a valid CA signed TLS Certificate in the /var/virtru/cks/ssl directory
Email send_to_virtru.tar.gz to Virtru
Please click here for detailed steps on downloading the send_to_virtru.tar.gz file.
Once the script has completed successfully, a file, send_to_virtru.tar.gz will be in your /var/virtru/cks/ directory. This file will contain the required information so that Virtru can communicate with your CKS appliance.
Send the file via Secure Share to the deployment team:
Enable your CKS Server
Once the script has completed, the Virtru Private Keystore is ready to turn on and verify connectivity.
Shell Commands
cd /var/virtru/cks
sh run.shExample Directory
Validate your CKS Server
Check that your CKS container started successfully with the below command
docker ps -aView the logs from the container to ensure the process started successfully
docker logs <containerID> -f
Additional CKS Servers
If you are installing CKS on multiple instances for a Highly-Available configuration, follow the instructions found here: Virtru Private Keystore (for Virtru Solutions): Install - Additional Instance, Linux Server